The Important Piece That May Be Missing From Your Breach Response Planning

The value of including HR in you data breach response planning

Getting a call that there's been a data breach and employee records are missing is always a nightmare. There's no way around it, but it's infinitely worse without a plan in place and a team trained to deal with it. When it comes to managing employee data, Human Resources (HR) has an incredibly important role to play within the organization and can serve a vital role on the data breach response team.

In today's risky digital environment, employees are at the frontlines of cybersecurity. Companies who really know their employees well and have IT/HR departments working closely together stand a much better chance of minimizing the risk and making a quick recovery if you can confirm a data breach quickly, minimize the damage, and lock down your most important data quickly and effectively.

What that means, is that there is value in training the HR department, so that a business has an informed/trained workforce that knows both how to prevent breaches and most importantly, what to do should one ever occur.

Who should be involved in data breach planning?

The best data breach plans are put together by teams comprised of a wide range of departments, which should include members from the following departments.

Executive leadership
Public relations
Human resources
Legal
Customer care
Information technology (IT)

Once the team is assembled, the next step is to map out the responsibilities for each department, for example, PR will draft the data breach letters, IT will run data breach recovery services, and the C-Suite execs will rethink data breach protocols. HR can take the lead supporting employees as part of this process.

Why HR is playing such a pivotal role in cybersecurity

In today's modern workforce, HR is doing far more than simply onboarding new employees and managing their working environment. Particularly with the rise of remote work and the lack of a centralized workspace, it's often the HR department that knows the employees best and deals with them regularly.

That's one of the reasons why HR is on the frontlines when it comes to cyber events involving employees.

The way that employees manage their data has a profound impact on an organization's overall cybersecurity footprint. A study by Mercer’s 2020 Global Talent Trends revealed the surprising fact that more than half of all executives (62%) worried more about their employees' compliance with data security than they did about hackers.

The 3 areas where HR can have the biggest impact

Protecting company data

With the explosive growth of remote work and the realities of managing a distributed workforce, many HR departments are part of the training on the safeguarding of sensitive data and the secure use of devices and platforms in a mobile-first, cloud-enabled workforce.

When dealing with employees and third-party vendors who have access to engage with an organization’s data, a team-based approach to managing this data can include HR, and IT and an empowering C-Suite that understands the changing nature of work and the rapidly evolving online threats that frankly, can seem overwhelming at times.

Robust cyber liability insurance is turning out to be a big drawcard; both for clients and for employees who want to know that the company will not turn a blind eye when their data suddenly turns up on the dark web as the result of a breach.

Much of the workforce today is still remote or hybrid, so extra precautions should be taken to protect the individual’s private information from cyberattacks. One important step is to ensure that the devices used in remote work are connected to the internet via ethernet rather than WiFi when possible. Alternatively, if WiFi must be used, the employee should be using a virtual private network (VPN) to ensure their data is encrypted and secure.

Setting employee & third-party access levels

In early May of 2022, Russians woke up to see that a prominent Russian news website was running dozens of articles that criticized President Putin and told the truth about the war in Ukraine. How did this happen? It turns out that a pair of journalists who had worked there previously had never had their access to the backend of the site revoked, and could still get into the system and publish whatever they wanted.

All too often, data breaches occur via ex-employees who have never offboarded properly.

HR must work with other departments across a company to help ensure employees are offboarded properly and access to systems and data is revoked.

Furthermore, HR departments can work with company stakeholders to determine who in a company needs access to what and what employee and corporate data is most critical. Permissions can be set up during the onboarding process and changed or deleted on offboarding, for both employees and 3rd party providers.

Other areas where HR can be very effective:

• Guidance for recognizing phishing and password security attempts
• Best practices for bring-your-own-device
• Remote access
• Business continuity

Creating a strong cybersecurity culture & environment

A highly educated and experienced cybersecurity team is just the tip of the iceberg when it comes to data breach mitigation. You'll need to provide comprehensive incident response training to several areas of your organization, including human resources, public relations, legal, finance, and customer service. These departments all have a critical role to play in the event of a data breach and must be able to act without hesitation.

Being the first and last point of contact for many employees offers HR an important role in the cybersecurity culture of your organization. They can set the company culture around advocating digital privacy protection and train employees to use data privacy tools.

HR can use data breach notification examples and contribute to data breach protocols that protect sensitive information such as employee salaries or benefits plans from being an easy target for criminal hackers.

What to do next

Make sure your HR department is doing what it can to mitigate risk by following the steps above, such as training employees with up-to-date cybersecurity practices, removing access for previous employees, and conducting incident response trainings.

If your business doesn’t have a breach response plan in place yet, it’s important to create one. With IDX’s no cost MSA breach solution, you can prepare your company for a breach and only pay once your company has experienced a breach.

As the nation’s largest provider of data breach response services, IDX shoulders the responsibility of protecting over 40 million consumers. Thousands of organizations have come to depend on our disruptive technologies and services in ways that empower consumers to take back control of their privacy and identity.

Reach out to one of our business solutions reps right now to get started with IDX and protect your workforce.

The 3 areas where HR can have the biggest impact

Protecting company data

With the explosive growth of remote work and the realities of managing a distributed workforce, many HR departments are part of the training on the safeguarding of sensitive data and the secure use of devices and platforms in a mobile-first, cloud-enabled workforce.

When dealing with employees and third-party vendors who have access to engage with an organization’s data, a team-based approach to managing this data can include HR, and IT and an empowering C-Suite that understands the changing nature of work and the rapidly evolving online threats that frankly, can seem overwhelming at times.

Robust cyber liability insurance is turning out to be a big drawcard; both for clients and for employees who want to know that the company will not turn a blind eye when their data suddenly turns up on the dark web as the result of a breach.

Much of the workforce today is still remote or hybrid, so extra precautions should be taken to protect the individual’s private information from cyberattacks. One important step is to ensure that the devices used in remote work are connected to the internet via ethernet rather than WiFi when possible. Alternatively, if WiFi must be used, the employee should be using a virtual private network (VPN) to ensure their data is encrypted and secure.

Setting employee & third-party access levels

In early May of 2022, Russians woke up to see that a prominent Russian news website was running dozens of articles that criticized President Putin and told the truth about the war in Ukraine. How did this happen? It turns out that a pair of journalists who had worked there previously had never had their access to the backend of the site revoked, and could still get into the system and publish whatever they wanted.

All too often, data breaches occur via ex-employees who have never offboarded properly.

HR must work with other departments across a company to help ensure employees are offboarded properly and access to systems and data is revoked.

Furthermore, HR departments can work with company stakeholders to determine who in a company needs access to what and what employee and corporate data is most critical. Permissions can be set up during the onboarding process and changed or deleted on offboarding, for both employees and 3rd party providers.

Other areas where HR can be very effective:

• Guidance for recognizing phishing and password security attempts
  
• Best practices for bring-your-own-device
  
• Remote access
  
• Business continuity

Creating a strong cybersecurity culture & environment

A highly educated and experienced cybersecurity team is just the tip of the iceberg when it comes to data breach mitigation. You'll need to provide comprehensive incident response training to several areas of your organization, including human resources, public relations, legal, finance, and customer service. These departments all have a critical role to play in the event of a data breach and must be able to act without hesitation.

Being the first and last point of contact for many employees offers HR an important role in the cybersecurity culture of your organization. They can set the company culture around advocating digital privacy protection and train employees to use data privacy tools.

HR can use data breach notification examples and contribute to data breach protocols that protect sensitive information such as employee salaries or benefits plans from being an easy target for criminal hackers.

What to do next

Make sure your HR department is doing what it can to mitigate risk by following the steps above, such as training employees with up-to-date cybersecurity practices, removing access for previous employees, and conducting incident response trainings.

If your business doesn’t have a breach response plan in place yet, it’s important to create one. With IDX’s no cost MSA breach solution, you can prepare your company for a breach and only pay once your company has experienced a breach.

As the nation’s largest provider of data breach response services, IDX shoulders the responsibility of protecting over 40 million consumers. Thousands of organizations have come to depend on our disruptive technologies and services in ways that empower consumers to take back control of their privacy and identity.

Reach out to one of our business solutions reps right now to get started with IDX and protect your workforce.